Giving hackers a dose of their own poison

Technique allows agencies to turn hackers' tools against them

By Kathleen Hickey

Apr 21, 2010

Hackers who attack federal Web sites may soon be in for a dose of their own poison. The government is able to use hackers' own malware to strike back, and some may already be doing so, according to reports.

Security consultant Andrzej Dereszowski last week demonstrated his proof-of-concept idea at Black Hat Europe. While illegal for companies, some government agencies may be able, or already are, using such techniques, reported Kelly Jackson Higgins this week in Dark Reading. These techniques are similar to those used for botnet infiltration research, he added.

While an IT professional would need to know reverse engineering and exploit-development techniques, the method is generic and could be applied to any case, allowing organizations to quickly analyze and respond to malware attacks, said Dereszowski.

Dereszowksi’s PoC exploited a buffer overflow bug in the malicious Poison Ivy trojan, which was in an infected PDF sent to a pharmaceutical company. He ran the attack via his virtual machine against its own command-and-control server.

Dereszowski began by assuming the malicious code was publicly available online, and then broke the code to a run static analysis of it. He then ran a Metasploit shell code to open an active connection to the command-and-control server. The counterattack would be invisible to the attacker, and would exit the system once finished, leaving the exploit behind with a window into the server.

This form of counterattack could apply to other trojans, such as the pervasive Zeus Trojan, said Dereszowski, as long as there is access to the attacker's server and the malware code. While the counterattack could theoretically “do lots of damage because you would have full permission on their host," the actual effects depend on how well the attacker's own systems are protected, he said.

Targeted attacks on government agencies are common and on the rise, and are frequently done by other governments to steal data. In a recent poll at FOSE, reported by GCN, 94 percent of government and related information technology professionals believe federal agencies and networks get attacked every day. The findings were similar to CDW-G’s November 2009 Federal Cybersecurity Report.

A copy of Dereszowski's white paper on the counterattack research, released March 15, is available here for download (PDF).